FBI Alert: Russian Hackers Target Ubiquiti Routers for Data, Botnet Creation

Russian hackers, part of Russia’s Main Intelligence Directorate of the General Staff, are using compromised Ubiquiti EdgeRouters to build extensive botnets, steal credentials, collect NTLMv2 digests, and proxy malicious traffic.

The FBI, NSA, US Cyber Command, and international partners have released a joint Cybersecurity Advisory to caution against Russian state-sponsored cyber actors using compromised Ubiquiti EdgeRouters for malicious cyber operations. They have also used compromised routers for spoofed landing pages and post-exploitation tools.

As per the advisory (PDF), Russia-backed APT28 actors (aka Fancy Bear) have been using compromised Ubiquiti EdgeRouters since 2022 to carry out covert cyber operations against various industries, including Aerospace & Defense, Education, and Energy & Utilities. The Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, and the US are some of its key targets. 

In 2023, APT28 actors used Python scripts to collect webmail user credentials and uploaded them to compromised Ubiquiti routers via cross-site scripting and browser-in-the-browser spear-phishing campaigns. They also exploited the CVE-2023-23397 zero-day, despite being patched, to install tools like Impacket ntlmrelayx.py and Responder on compromised routers, allowing NTLM relay attacks and host rogue authentication servers.

For your information, Microsoft’s Threat Protection Intelligence team discovered this vulnerability in Outlook that allowed attackers to steal Net-NTLMv2 hashes and access user accounts. The vulnerability was previously exploited by the group Forest Blizzard, suspected to have affiliations with the Russian military intelligence agency.  

The FBI has identified IOCs for the Mirai-baed Moobot OpenSSH trojan and APT28 activity on EdgeRouters. APT28 actors exploit vulnerabilities in OpenSSH server processes, hosting Python scripts to collect and validate stolen webmail account credentials. The actors have used iptables rules on EdgeRouters to establish reverse proxy connections and upload adversary-controlled SSH RSA keys to compromised routers. They have also used masEPIE, a Python backdoor capable of executing arbitrary commands on victim machines.

Further probing revealed that APT28 used compromised Ubiquiti EdgeRouters as C2 infrastructure for MASEPIE backdoors deployed against targets. Data sent to and from the EdgeRouters was encrypted using a randomly generated 16-character AES key.

The FBI recommends remediating compromised EdgeRouters by performing a hardware factory reset, upgrading to the latest firmware, changing default usernames and passwords, and implementing strategic firewall rules on WAN-side interfaces.

Network owners should keep their operating systems, software, and firmware up-to-date, and update Microsoft Outlook to mitigate CVE-2023-23397. To mitigate other forms of NTLM relay, network owners should consider disabling NTLM or enabling server signing and Extended Protection for Authentication configurations.

Experts Opinions:

For insights into the latest advisory, we reached out to John Bambenek, President at Bambenek Consulting who emphasised on the importance of patching flaws and keeping the system up-to-date.

“The single biggest advance in cybersecurity across the technical stack in 25 years was when Microsoft made auto-updating the default setting in Windows. Across the IoT, embedded devices, and network stack, this is not the norm,” John argued.

“We know devices aren’t patched by consumers or most organizations so why wouldn’t nation-state actors get in on the target-rich environment? These devices have all the weaknesses of normal computers, just without the ability of the user to harden them, put EDR on them, or do anything we would to a server to make it safer. Until manufacturers treat this problem seriously, whether it’s Mirai or a spy, these devices will continue to be compromised in bulk.”

  1. Hackers Steal $47 Million From American Tech Firm Ubiquiti
  2. US Military Satellite Access Sold on Russian Forum for $15K
  3. Russian Hackers Employ Telekopye Toolkit in Phishing Attacks
  4. Russian APT29 Hacked US Biomedical Giant in TeamCity Breach
  5. Russian Midnight Blizzard Hackers Hit MS Teams in Precision Attack
  6. Russian Hackers Hit European Mail Servers for Political, Military Intel
Related Posts